A number of us on the Vulnerability Analysis team have been out and about giving talks at various conferences recently. This post provides links to the presentation slides, related blog posts, and the videos where available.

Will Dormann and Joji Montelibano presented How We Discovered Thousands of Vulnerable Android Apps in 1 Day at RSA Conference 2015 in April. This talk extended the work described in Will's blog post Finding Android SSL Vulnerabilities with CERT Tapioca. The slides are available in PDF format from the SEI Digital Library.

Abstract: Thousands of Android applications do not implement SSL correctly. Such apps can mislead users into thinking that they are carrying out secure transactions when, in fact, all information is being relayed in clear text! In this presentation, we will describe our methodology in discovering these vulnerabilities, and recommend mitigation strategies for both developers and users.

I gave a talk on Coordinated Vulnerability Disclosure and Concurrency Modeling at RVASec 2015 in June. This was an extension of my similarly titled blog post from last December. A video is provided by RVASec, and the PDF slides are available in the SEI Digital Library.

Abstract: Media reports about Zero Days, bug bounties, and branded vulnerabilities usually focus on the publication of a vulnerability report. Vulnerability disclosure policies recently hit the mainstream with public kerfuffles between Google and Microsoft over the timing of a few vulnerability announcements.

However, public reports largely ignored the process of coordination and disclosure that precedes a publication event. For the past 26 years at the CERT Coordination Center, we have been helping connect security researchers and vendors in the interest of improving the security of the Internet and providing users and administrators with the information they need to secure their systems.

In this talk I describe the process of coordinating vulnerability disclosures, why it's hard, and some of the pitfalls and hidden complexities we have encountered. The talk is a behind-the-scenes look at a process that doesn't receive much attention yet is of critical importance to internet security.

Art Manion, in collaboration with Taki Uchiyama of JPCERT/CC and Masato Terada of HIRT presented the VRDX-SIG: Global Vulnerability Identification at the 27th Annual FIRST Conference in Berlin in June. A PDF containing the slides is available from FIRST. (FIRST is the Forum for Incident Response and Security Teams.)

Abstract: Like most ontological exercises, defining what exactly constitutes a software vulnerability turns out to be at least somewhat subjective. Vulnerability databases use different definitions, scopes, identification systems, and data formats. There are some well-known, comprehensive(-ish) databases like Common Vulnerabilities and Exposures (CVE), the Open Sourced Vulnerability Database (OSVDB), and more narrowly-scoped databases like Japan Vulnerability Notes (JVN) and vendor security advisories. Differences in scope and how vulnerabilities are defined and identified lead to difficulty counting, tracking, and responding.

The FIRST Vulnerability Reporting and Data eXchange Special Interest Group (VRDX-SIG) was chartered to study existing practices and develop recommendations on how to better identify, track, and exchange vulnerability information across disparate vulnerability databases.

What are the key similarities and differences across databases? Should there be a global vulnerability identification system, and what would it look like?

This talk presents results of the VRDX-SIG's work, including a survey and catalog of vulnerability databases, a comparison of identification systems, and recommendations on how to globally identify vulnerabilities.

Lastly, I gave a talk at BSides Pittsburgh 2015 on Systemic Vulnerabilities: An Allegorical Tale of Steampunk Vulnerability to Aero-Physical Threats. SecPgh provided the video. A PDF of my slides is available in the SEI Digital Library.

Abstract: What can we learn about vulnerability analysis, mitigation, and designed-in security for the emerging internet of things from history? In this talk we trace the origin and evolution of a physical-world vulnerability that dates to the late 19th century, and explore whether "building security in" is always an available option. We also look at how a number of industries have approached the analysis of their safety failures and what that implies for interconnected embedded systems. Along the way, we meet Andrew Carnegie and a few other historical figures and events that help illuminate some ideas that presage the future of cybersecurity in a world of smart things.